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A modern approach to engineering correct-by-construction systems is to synthesize them automati¬ 
cally from formal specifications. Oftentimes, a system can only satisfy its guarantees if certain envi¬ 
ronment assumptions hold, which motivates their inclusion in the system specification. Experience 
with modern synthesis approaches shows that synthesized systems tend to satisfy their specifications 
by actively working towards the violation of the assumptions rather than satisfying assumptions and 
guarantees together. Such uncooperative behavior is undesirable because it violates the aim of syn¬ 
thesis: the system should try to satisfy its guarantees and use the assumptions only when needed. 

Also, the assumptions often describe the valid behavior of other components in a bigger system, 
which should not be obstructed unnecessarily. 

In this paper, we present a hierarchy of cooperation levels between system and environment. 

Each level describes how well the system enforces both the assumptions and guarantees. We show 
how to synthesize systems that achieve the highest possible cooperation level for a given specification 
in Linear Temporal Logic (LTL). The synthesized systems can also exploit cooperative environment 
behavior during operation to reach a higher cooperation level that is not enforceable by the system 
initially. The worst-case time complexity of our synthesis procedure is doubly-exponential, which 
matches the complexity of standard LTL synthesis. This is an extended version of Q that features 
an additional appendix. 

1 Introduction 

When synthesizing reactive systems from their formal specifications, we typically start with a set of 
guarantees that the system should fulfill and a set of assumptions about the environment. A synthesis 
tool then computes an implementation that satisfies the guarantees in all environments that satisfy the 
assumptions. In many specifications, the system can influence whether the assumptions are satisfied; 
in particular, the system can actively force the environment to violate the assumptions. The resulting 
implementation is correct: it fulfills its guarantees if the assumptions are fulfilled. However, it does so in 
an undesirable way. 

Take for example a flight stabilization system that adds small forces to choices of forces issued by 
the pilot. The system guarantees state that there is little jitter in the absolute forces applied. This can 
only work for “well-behaved” evolutions of the manually selected force values, which in turn depend 
on the forces currently applied. Without the well-behavedness assumption, the system has no way to 
stabilize the flight. However, if the system has the opportunity to add forces that make the pilot violate 
this assumption, it can do so without violating its overall specification (namely that the guarantees must 
hold whenever the assumptions hold). Clearly, such behavior is not covered by the specifier’s intent. 

This observation leads to the question of how we can synthesize systems that cooperate with the 
environment whenever possible. Our main idea is that, at any point in time, the system should try to be 
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as cooperative as possible while still ensuring correctness. Depending on the concrete situation, several 
levels of cooperation may be possible. Some examples are: 

1. The system can enforce both the assumptions and guarantees to hold. 

2. The system can enforce the guarantees if the assumptions hold and the system can give the envi¬ 
ronment the opportunity to satisfy the assumptions at the same time. 

3. The system can neither enforce the assumptions nor the guarantees, but environment and system 
together can satisfy both. 

The first of these levels is most beneficial: fhere is no need fo rely on fhe environmenf, nol even for 
satisfying fhe assumpfions. On fhe second level we can safisfy fhe correcfness objective even wifhouf 
allowing fhe system fo enforce an assumpfion violation. From sfafes of fhe fhird level, fhe system can- 
nof enforce correcfness. However, instead of resigning and behaving arbifrarily, fhe sysfem sfill offers 
some executions along which bofh fhe assumptions and guarantees are fulfilled, fhereby opfimisfically 
assuming fhaf fhe environmenf is helpful. 

In fhis paper, we perform a rigorous analysis of cooperation befween fhe system and ifs environment 
in the setting of reactive synthesis. We generalize the three levels of cooperation from above to a fine¬ 
grained cooperation hierarchy fhaf allows us fo reason abouf how cooperative a confroller for a given 
specification can be. A level in our hierarchy describes whaf objectives (in terms of assumptions and 
guarantees) the controller can achieve on its own and for what objectives it has to rely on the environment. 

As a second contribution, we present a synthesis procedure to construct a controller that always picks 
the highest possible cooperation level in our hierarchy for a given linear-time temporal logic (LTL) spec¬ 
ification. The synthesized controllers do not only enforce the highest possible level statically, but also 
exploit environment behavior that enables reaching a higher level that cannot be enforced initially. Thus, 
implementations synthesized with our approach are maximally cooperative, without any need to declare 
cooperation in the specification explicitly by enumerating scenarios in which a system can operate in 
a cooperative way. Our maximally cooperative synthesis procedure takes at most doubly-exponential 
time, which matches the complexity of standard LTL synthesis. Our techniques are applicable to all (0- 
regular word languages. For specifications given as deterministic Rabin word automata, the complexity 
is polynomial in the number of states and exponential in the number of acceptance condition pairs. 

Outline. The presentation of this paper is structured as follows. Section [2] reviews related work 
and Section [3] introduces background and notation. Section|4]then presents our hierarchy of cooperation 
levels, while Section [5] describes our synthesis approach for obtaining cooperative systems. We conclude 
in Section [6] 

2 Related Work 

In earlier work [6j, we already pointed out that existing synthesis approaches handle environment as¬ 
sumptions in an unsatisfactory way. We postulated that synthesized systems should {\) be correct, (2) 
not be lazy by satisfying guarantees even if assumptions are violated, (3) never give up by working to¬ 
wards the satisfaction of the guarantees even if this is not possible in the worst case, and (4) cooperate by 
helping the environment to satisfy the assumptions that we made about it |6l. Our current work addresses 
all of these challenges. 

Besides correctness, our main focus is on cooperation, which is also addressed by Assume-Guarantee 
Synthesis lfT2l and synthesis under rationality assumptions EIElllIlIIll- These approaches do not dis¬ 
tinguish between system and environment, but synthesize implementations for both. Each component 
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works under certain assumptions about the other components not deviating from their synthesized imple¬ 
mentations arbitrarily. In contrast, our work handles the system and its environment asymmetrically: we 
prefer the guarantees over the assumptions and prioritize correctness over supporting the environment. 

Similar to existing work on synthesis of robust |4il and error-resilient systems, our synthesis 
approach is also not lazy |S in satisfying guarantees. The reason is that satisfying guarantees is more 
preferable in our cooperation hierarchy than satisfying guarantees only if the assumptions are satisfied. In 
contrast to the existing work, we do not only consider the worst case environment behavior for satisfying 
guarantees (even if assumptions are violated), but also the scenario where guarantees can only be satisfied 
wifh fhe help of fhe environment. 

Like uni, we also address the never give up challenge |i61 because our cooperation hierarchy also 
includes levels on which the system cannot enforce the guarantees any more. Still, our synthesis approach 
lets the system satisfy the guarantees for some environment behavior whenever that is possible. 

In contrast to quantitative synthesis |[Il[5l where the synthesized system maximizes a certain pay-off, 
our approach is purely qualitative: a certain level of the hierarchy is either achieved or not. In this way, 
we not only avoid the computational blow-up induced by operating with numerical data, but also remove 
the need to assign meaningful quantities (such as probabilities) to the specifications. 

Finally, ifTSl presents an extension of a synthesis algorithm for so-called GR(1) specifications ||8l 
to produce mission plans for robots that always offer some execution on which both assumptions and 
guarantees are satisfied. Hence, lITSl gives a solution for one level in our hierarchy, implemenfed for a 
subsef of LTL. 


3 Preliminaries 

We denote fhe Boolean domain by B = {false, true} and fhe sef of nafural numbers (including 0) by N. 

Words: We consider synfhesis of reactive systems wifh a finite sef I = {/i,...,/,,,} of Boolean inpuf 
signals and a finite sef O = (oi,. ■■ ,o„} of Boolean oufpufs. The inpuf alphabef is = 2^, fhe oufpuf 
alphabef is ^ = 2^, and L = x The sef of finife (infinite) words over £ is denofed by £* (£“), 
where e is fhe word of lengfh 0. A sef L C £“ of infinife words is called a {word) language. 

Specifications: A specificafion (p over £ defines a language L{(p) of allowed words. In fhis paper, speci- 
ficafions consisf of fwo parts, fhe environment assumptions and fhe system guarantees ^. These parts 
can be combined by logical operators. For example, we write jz/ —fo specify fhaf fhe guarantees 
(only) need fo hold if fhe assumpfions are safisfied. We say fhaf some finife word >v € £* is a had prefix 
for (p if fhere does nof exisf a word w' G £® such fhaf ww' € L{(p). The sef of infinife words fhaf have no 
bad prefixes of cp will be called fhe safety hull of cp. 

Reactive systems: A reacfive system inferacfs wifh ifs environmenf in a synchronous way. In every fime 
sfep j, fhe system firsf provides an oufpuf letter yj G G, after which fhe environmenf responds wifh an 
inpuf letter xy G ■J’. This is repeated in an infinife execution fo produce fhe trace w = (xo,yo)(-^i At) • • • S 
£“. 

We can represenf fhe complefe behavior of a reacfive system by a computation tree {T, t), where T 
is fhe sef of nodes and a subsef of and z assigns labels fo fhe free nodes. In such a free, we have 
T :T G, i.e., fhe free nodes are labeled by fhe lasf oufpuf of fhe system. We call frees {T,z) wifh 
T = full trees and consider only fhese henceforlh, unless ofherwise sfafed. We say fhaf some frace 
w = (xo,yo)(xi,yi) ■ ■ ■ G £“ is included in (r,T) if for all i G N, y, = t(xo .. .x,_i). In such a case, we 
also say fhaf w is a branch of (T, t). 


4 


Cooperative Reactive Synthesis 


We say that some specification q) is realizable if there exists a computation tree for the system all of 
whose traces are in L{(p). The set of traces of (T, t) is denoted by L{{T, r)) and called the word language 
of (r, t). The set of all computation trees over and is denoted by 5^. Since a computation tree 
represents the full behavior of a reactive system, we use these two terms interchangeably. 

Rabin word and tree automata: In order to represent specifications over £ in a finitary way, we employ 
Rabin automata. For word languages, we use deterministic Rabin word automata, which are defined as 
tuples = (2,r, 5,(7 o,^), where Q is the finite set of states, L is the finite alphabet, 5 : 2 x £ —>• 2 is 
the transition function, qo ^ Q is the initial state of and ^ C 2^ x 2^ is the acceptance condition of 

Given a word w € £“, induces a run 7t = 7to7ti7t2 ■ ■ ■ G 2®, where tiq = qo and for every i G N, we 
have 7ti+i = 5{7ti,Wi). The run n is accepting if there exists some acceptance condition pair {F,G) G ^ 
such that inf(7r) flF = 0, and inf( 7 r) nG 7 ^ 0, where inf maps a sequence to the set of elements that 
appear infinitely often in the sequence. We say that w is accepted by M if there exists a run for w that 
is accepting. The language of denoted as L{I%), is defined to be the set of words accepted by 
The language of a state q £Qis defined to be the language of the automaton = {Q, l,,5,q,,^), which 

differs from M only by its initial state. Without loss of generality, we assume that every Rabin automaton 
has a designated state T that has the full language, i.e., for which = £“. 

In addition to deterministic Rabin word automata, we will later also need non-deterministic Rabin 
tree automata. A non-deterministic Rabin tree automaton M ff,5,qo,^) is defined similarly 

to a word automaton, except that 5 has a different structure, and we now have two alphabets, namely 
a branching alphabet and a label alphabet 0. The transition function 5 is defined as 5 : 2 x ^ 

a tree automaton accepts or rejects computation trees instead of words. Given a computation 
tree (T, t), we say that some tree (£', x') is a run tree of for (T, x) if T' = T, x’: T' ^ Q, xfe) = qo, 
and for all t' G T', there exists a function / G 5{x’{t'),x{t')) such that for all i G J^, f{i) = x'{t’i). We say 
that {T',x') is accepting if every branch of {T',x') is accepting, i.e., its sequence of labellings satisfies 
the Rabin acceptance condition We say that a tree automaton accepts a computation tree if it has a 
corresponding accepting run tree. 

Given a Rabin word automaton as specification over the alphabet L = x 0, we can check if 
there exists a tree with branching alphabet and label alphabet 0 all of whose traces are in the language 
of It has been shown that this operation can be performed in time exponential in |,^| and polynomial 
in |2| by first translating the Rabin word automaton to a non-deterministic Rabin tree automaton with 
the same set of states and the same acceptance condition (in linear time), and then checking the tree 
automaton’s language for emptiness ifT^ . This approach gives rise to a reactive synthesis procedure 
for specifications in linear temporal logic (LTL) fl^ : we can first translate the LTL specification to a 
deterministic Rabin word automaton with a number of states that is doubly-exponential in the length 
of the specification, and a number of acceptance condition pairs that is exponential in the length of the 
specification. Overall, this gives a doubly-exponential time procedure for LTL reactive synthesis, which 
matches the known complexity of the problem. 


4 A Hierarchy of Cooperation Levels 

In this section, we develop a hierarchy of cooperation levels that a system may achieve. We use a special 
logic to specify desired properties of the system to be synthesized. The syntax of a formula <I> in this 
logic is defined as 

<I> ::= (p I (E) q) \ G{E) (p | <I> A<I>, 


(1) 
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where (p is a linear-time specification (e.g., an LTL formula) over an alphabet £. The Boolean connective 
A has its expected semantics. The formula {E) cp is satisfied for a sysfem (T, t) if fhere exisfs some frace 
of (T, t) on which (p holds. Similarly, fhe formula G{E)(p is satisfied if, from any poinf in a reactive 
sysfem’s frace fhaf has been seen so far, fhere exisfs some suffix frace of fhe sysfem such fhaf cp holds. 
We call an insfance of fhe grammar in Formula[I]a cooperation level specification. Our logic ranges over 
compufafion frees and has similarifies fo strategy logic ifTTi as well as alternating-time temporal logic 
(ATL) lH. Yef, ifs semantics, fo be given below, is very differenl. In parficular, linear-lime specificafions 
(p are seen as alomic and even wilhin fhe scope of a G operafor, cp is only evaluafed on complete traces 
of a system, always sfarfing al fhe roof of a compulation free. 

More formally, we define fhe semanlics as follows. Formulas are interpreted over a compulation free 
(r, t) € cY’ using fhe following rules: 




iff iw € L{{T, z)) : w € L{(p) 

(r,T) 

h{E)tp 

iff 3w & L{{T,z)) :w & L{q)) 

(r,T) 

^G{E)tp 

iff Vw G L{{T,z)),i G N.3w' G L{{T,z))riL{q)) 



W0...Wi-l = Wo...>v'_i 

(r,T) 

A <I>2 

iff ((r,T)|=<i>i)A((r,T)^<i>2) 


Mosl cases are slraighfforward, buf G{E) (p requires some affenlion. We follow an arbilrary frace of (T, z) 
up fo step / — 1. Al step / — 1, fhere musl be some confinuafion of fhe frace fhaf satisfies (p and fhaf is pari 
of fhe system’s compufafion free. If such a confinuafion exisfs in every step i, Ihen G{E) cp is salisfied. 

4.1 Defining the Interesting Levels of Cooperation 

We sfarl wilh fhe linear-time specificafion £/, which represents the assumptions about the environment, 
and which represents the guarantees. We can combine them to the linear-time properties ^‘IS and 
l\^. The first of these represents the classical correctness requirement for reactive synthesis, while 
the latter represents the optimistic linear-time property that both assumptions and guarantees hold along 
a trace of the system. As generators for cooperation level specifications, we consider all rules from the 
grammar in Equation [T] except for the second one, as it is rather weak, and only considers what can 
happen from the initial state of a system onwards. Additionally, leaving out the conjuncts of the form 
(£')(p strengthens the semantic foundation for our maximally cooperative synthesis approach in Sect. l5.2l 
However, we discuss the consideration of conjuncts of the form {E)(p in Section 1431 

Combining all four linear-time properties with the two chosen ways of lifting a linear-time property 
to our logic gives the following different conjuncts for cooperation level specifications: 

D = ^ W,W,£/,G{E) {£/ A^),G{E)^,G{E) £/,G{E) {£/ -A ^)} (2) 

A cooperation level specification is a conjunction between elements from this set. So there are 2^ = 128 
possible cooperation levels in this setting. Note that we removed the linear-time property si from D, 
as it can be simulated by a conjunction between si and on the level of cooperation level specifications. 

We can reduce the 128 possible cooperation levels substantially by using our knowledge of the se¬ 
mantics of cooperation level specifications, which can be expressed in reduction rules. For example, if 
in a cooperation level specification, for some linear-time property (p G \^sisi .,si At#}, (p is a 
conjunct along with G{E)(p, then we can remove the latter from the cooperation level specification as 
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Figure 1: A Hasse diagram of the hierarchy of cooperation levels. 


that conjunct is implied by the former. This is because if along every trace of a computation tree, q) 
holds, then for every node in the tree, we can find a trace containing the node along with tp holds. In a 
similar fashion, we can observe 

• that implies .e/ —, 

• that G{E) {£sf implies G{E) £/ and G{E)W, 

• that implies G(£') —>■ f#), 

• that and together imply and 

• that si and G{E) together imply G{E) {si Af^), 

• that si and G{E)^ together imply G{E) (si Af^), 

• that G{E) {si —> and si together imply G{E) (f#). 

Only in the last three of these rules, conjuncts of the forms G{E)(p and tp interact. For example, if 
si holds along all traces of a computation tree, and we know that through every node in the tree, 
there is a trace on which si holds, then along this trace, si t\'^ holds as well. Thus, we also know that the 
computation tree satisfies G(£') {si Af#). Nofe fhaf G{E) {si Af#) is nof equal fo G(£') (f#) AG{E) {si) 
because fhere exisf compulation frees for which a pari of Iheir Iraces satisfy si A Ihe olher Iraces 
salisfy W A -isi, bul none of Iheir Iraces salisfy si l\'^. 

Afler reducing Ihe sel of disfincf cooperation levels by fhese reduclion rules, we oblain only 15 
semanfically differenl subsefs of D, which form a lalfice wifh ils partial order defined by implicalion. 
We leave oul Ihe true elemenl of Ihe lalfice in Ihe following (as if is Irivially salisfied by all compulation 
frees), and visualize fhe remaining cooperation levels hierarchically in Fig. [T] For every cooperation 
level, implied elemenfs of D have also been lefl oul in fhe vertex labeling. Every edge in Ihe figure 
denoles a “slricfer lhan”-relafion, wifh fhe upper elemenl being fhe slricfer one. Vertices lhal enforce fhe 
Iradilional correclness criferion si are colored in gray. 
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In the next section, we discuss the different levels of the cooperation hierarchy in an example. After 
that, we will discuss design decisions that we made when constructing the hierarchy, as well as extensions 
and alternatives. 

4.2 Example 

This section presents an example from real life to illustrate some cooperation levels from Fig. [T] A more 
extensive example will be presented in Appendix lAl 

An IT provider makes a contract with a customer. The provider promises that whenever the computer 
breaks, it will eventually deliver a new computer, or one of its technicians will come to the customer 
to fix the computer while providing some free printing supplies as a bonus. The customer accepts the 
conditions, mainly because of the possibility of free printing supplies. The contract between the customer 
and the IT provider contains the following assumptions under which it has to be fullfilled: (1) every traffic 
blockade on the way to the customer is eventually cleared, and (2) if the road to the customer is clear 
and the IT provider technician is working on the computer, then it will eventually be fixed. The latter 
assumption is part of the contract to exclude problems with the customer’s software, which is not the 
responsibility of the IT provider. By simply replacing parts of the computer one-by-one, the problem is 
eventually fixed. We also have an additional assumption that traffic can be blocked on purpose by the IT 
provider, which is not written into the contract. 

We model the setting with two Boolean input variables c, b and four Boolean output variables t,d,m,n 
for the IT service provider’s behavior. Variable c is true if the computer is currently working, b is true 
when the traffic is not blocked, / = true indicates that the IT provider’s technician is trying to fix the 
computer, m = true means that free printing supplies are delivered, n = true means that the IT service 
provider delivers a new computer, and d = true means that the provider currently blocks the traffic on 
purpose. In LTL syntajfl. the guarantee can be written as = G(-'C —F(n V (c Am))). The assumptions 
can be formalized as = G(Ff7) A G((f7 A/) —)■ Fc) A G(<i — >■ -^b). 

The following table summarizes some cooperation levels that can be achieved with different behavior 
of the IT provider, each expressed as an LTL property whose fulfillment completely determines the 
valuation of the output variables in all time steps. We focus on levels that enforce (which are 

colored gray in Fig.[T]). 


Nr. 

Behavior 

Level in Fig. [T] 

1 

G[d A —<f A —'in A —<n) 


2 

G{d Am A -■/A -m) 

^W)AG{E)W 

3 

G{f Am A-'U A-'d) 

AG(£)i^ 

4 

G (n A J A-■/A-im) 


5 

G{nA-'d A -'f A -im) 

WaG{E)£/ 


Behavior 1 enforces an assumption violation by blocking the traffic. This is very uncooperative 
with the customers (and all other drivers on the streets). In this case, G{E)£/ does not hold as the 
environment cannot satisfy from any point in any trace because it cannot set b to true at some point 
without violating but not ever doing so violates as well. The cooperation level specification part 
G(£') does not hold either because since n and m are both false all of the time, is not fulfilled along 
any trace. 

Behavior 2 is better because printing supplies are always delivered. This satisfies G{E)^ because, 
at any point, the environment can make the computer work again (which occasionally happens with 
computers). G(£') j?/ is still not satisfied for the same reason as before. 

*In LTL syntax, G means “always” and F means “eventually”. 
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Behavior 3 is even less destructive. The technician tries to fix the computer (/ = true) and brings 
along free printing supplies {m = true) without blocking traffic. This satisfies the guarantees if the 
assumptions are satisfied. On top of that, the assumptions can always be satisfied by setting both b and c 
to true. Since d is always false, the last assumption (which was the problem before) always holds. 

Behavior 4 is better than Behavior 2 but incomparable with Behavior 3. By always (or repeatedly) 
providing a new computer, ^ is enforced independent of the assumptions. However, Q{E) does not 
hold because, since the traffic is blocked {d = true), the assumptions cannot hold. 

Behavior 5 is similar but without enforcing a traffic blockade. It thus satisfies ^ and G{E) simul¬ 
taneously. The last two of the four assumptions are even enforced. However, since the first assumption 
cannot be enforced by any behavior of the IT provider, t\sC cannot be achieved. 

4.3 Discussion 

Before solving the cooperative synthesis problem in the next section, let us discuss some interesting 
aspects of our hierarchy of cooperation levels. 

Incomparable levels: As already discussed in the example, our hierarchy of cooperation levels in Fig. [T] 
contains levels that are incomparable, i.e., where neither of the levels is stricter or clearly more desirable. 
The relative preferences between such levels may depend on the application. Among the levels that 
enforce j?/ —)• (gray in Fig. [Til, there is only one incomparability, namely between and ^ ) A 
G{E) The former favors the guarantees, the latter the assumptions. For incomparabilities between a 
level that enforces and one that does not, we suggest to prefer the former unless there are good 

reasons not to. 

Symmetry in Eig. [7} Our hierarchy is asymmetric because we included ^ ^ but not ^ ^ in 
D. Including contradicts the philosophy of cooperation to some extend, but is justified by the 

fact that we always take the point of view of the system in this paper, and try to synthesize a correct 
implementation that also helps the environment to satisfy its assumptions whenever this is reasonable, 
but without assuming that the environment has its own goals and behaves rationally (as in liMTOUT^flSl l. 
The guarantees often cannot be enforced unconditionally by the system, so the system has to rely on the 
assumptions to hold. However, the combination of £/ with G{E) £/ (or G(£')(^) in a cooperation 
level specification eliminates the possibility for the system to achieve correctness by simply enforcing a 
violation of £/ (and f^). 

Additional operators: We did not include any properties with a plain (£')-operator in our default hierar¬ 
chy. The reason is that (E) cp is quite a weak goal. The system could have exactly one trace on which (p 
is satisfied. As soon as the environment deviates from the input along this trace, the system can behave 
arbitrarily. Our default hierarchy also does not contain any occurrences of £/ but this is mainly 
to keep the presentation simple. Including jz/ V and G{E) V fS) would extend the hierarchy to 23 
levels. Additionally including lE) wherever GlE) is applied results in 77 levels. Thus, even with ex¬ 
tensions in the applied operators, the size of our hierarchy remains manageable. Details to these refined 
hierarchies and the reduction rules to obtain them can be found in Appendix IbI 

Eine-grainedness: Our hierarchy considers two dimensions: the goals (in terms of assumptions and guar¬ 
antees) to achieve, and the certainty with which the goal can be achieved: enforced, always reachable 
{G{E)), and initially reachable ((£"), if considered). In contrast, most existing synthesis approaches | |4l|^ 
M (see Section [Hi that go beyond plain correctness only focus on enforcing a maximum in the dimen¬ 
sion of goals. Yet, in this dimension they are often more fine-grained, e.g., by considering individual 
assumptions and guarantees or how often some property is violated. In principle, we could also increase 
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the granularity in our goal dimension. However, this also comes at a price: it would increase the size of 
the hierarchy and induce more incomparabilities, which makes it more difficult to define fhe preference 
befween fhe incomparable levels for a concrete applicafion. 


5 Synthesizing Desirable Systems 

After defining our hierarchy of cooperation levels, we fum fowards fhe synfhesis of implemenfafions fhaf 
maximize fhe possible cooperation level. We sfarf by describing how we can synfhesize an implemenfa- 
fion for a single cooperafion level, and fhen show in Sect 15.21 how fo synfhesize maximally cooperative 
implementations, which move upwards in fhe cooperafion level hierarchy whenever possible during fhe 
execution. 


5.1 Implementing a Single Cooperation Level 

The simple reduction of fhe cooperafive synfhesis problem for LTL fo synfhesis from a logic such as 
strategy logic 1T3I is obsfrucfed by fhe facf fhaf in our semantics, we always evaluafe fraces from fhe sfarf 
when evaluafing a subformula of fhe shape G(£') tp. Sfrafegy logic lacks a rewind operafor fhaf would 
allow fo jump back fo fhe sfarf of a frace. We could, however, encode a cooperafion level specification 
info CTL* wifh linear pasf [9], and use a corresponding synfhesis procedure. 

Insfead of following fhis route, we give a direcf aufomafa-lheorelic approach fo fhe synfhesis of reac¬ 
tive systems that implement some level of cooperation with the environment on a specification ,1^). 
The automata built in this way keep information about the states of the assumptions and guarantees 
explicit, which is needed to synthesize maximally cooperative implementations in the next subsection. 
Also, it makes the synthesis approach applicable to general m-regular word language specifications. 

Starting from the linear-time properties and f#, we show how to build a non-deterministic Rabin 
tree automaton that encodes the synthesis problem for some cooperation level specification H. Such a 
tree automaton can be checked for language emptiness in order to perform synthesis for one level of 
cooperation. 

Let and be deterministic Rabin word automata that encode ^, 

and . We translate the conjuncts (elements of D from Equation |2l) of some expression H in the 

grammar from Equation [T] to non-deterministic Rabin tree automata individually and then build the 

product between these tree automata, which encodes that all elements of H have to be satisfied in 
a candidate compufafion free. As cooperafion level specificalions have only three types of conjuncts, 
namely tp, {E)(p, and G{E)(p for some linear-time property (p, we simply give the translations for these 
types separately. 

Case (p: If (p is a linear-time property, the occurrence of (p in a cooperation level specification 
indicates that cp should hold on every trace of a synthesized implementation. Translating = {Q,J^ x 
G, 5,(70,^) to a Rabin tree automaton = (2, G, 5 'that enforces (p to hold along all traces 
in the tree is a standard construction, where we set: 

\/q € Q,o € G : 5'{q,o) = {{/1-7> 5{q, {i,o)) \ i G c/}} 

Case (E}ip: Here, we require the synthesized system to offer one path along which (p holds. In the 
tree automaton, we non-deterministically choose this path. Starting with.^,p = (Q,J^ x G,S,qo,^), we 
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obtain = {Q,^,qo,i^) with: 

'\/q G Q,o G : d\q,o) = [J {{/ i-G d{q, (/,o))} U {/' i- 7 > T | /' G J^,i' 7 ^ /}} 

i€J^ 

Case G{E)(p: In this case, for every node in a computation tree, we require the synthesized system to 
have a path on which tp holds that includes the selected node. Given = (Q, x €i’,S,qo,^), we can 
implement this requirement as a non-deterministic Rabin tree automaton = (Q',J^,^,S',qQ,^') 
with: 


Q' = QxB 

V(^,^) G Q',o G ^:5\{q,b),o) = [J {{/ (5(^, (/,o)),true)} 

i€J^ 

U{/^ !-)■ (5(^, (/',o)),false) | i' G J^,i' yf /}} 

^0 = (^o,true) 

= {(F X {true},G x {true}) | (F,G) G 
U{(0,fix {false})} 

The automaton augments the states in 2 by a Boolean flag. From every node in a computation tree 
accepted by regardless of whether it is flagged by true or false, there must exist a branch consisting 
only of true-labeled nodes. The original acceptance condition must hold along this branch. However, 
not all branches of a tree accepted by have to satisfy (p, as those branches along which the flag is 
false infinitely often are trivially accepting. Intuitively, also enforces the safety hull of (p along all 
branches in the computation tree as once a bad prefix has been seen on the way to a computation tree 
node, there cannot exist a branch containing the node along which tp holds, which is enforced by the 
(required) successor branch that is always labeled by true. 

In order to obtain a non-deterministic Rabin tree automaton for a complete cooperation level 
specification H, we can compute a product automaton from the Rabin tree automata for the individ¬ 
ual conjuncts. Computing such a product automaton is a standard operation in automata theory. Given 
a set of non-deterministic Rabin tree automata, 

their product is defined as the non-deterministic Rabin tree automaton = {Q,^,ff,5,qo,^) with: 

Q = QiX...xQn 

d{{qi,...,qn),o) = 0 5i{qi,o) 

Go = (^0,1, • • ■7G0,n) 

^ = {(Fi X ... xF„,Gi X ... X G„) I 

(Fi,Gi)g^i,...,(F„,G„)g#-4 

The second line of this equation holds for all (^ 1 ,... ,^n) G Q and o G Also, we used the special 
operator 0 that maps sets {M,- C to the set 

{{iiGU---,Gn),i) ^ \ A fjii)=Gj}\fi^Mu---,fn&Mn} 

By performing reactive synthesis using the product Rabin tree automaton as specification, we can obtain 
an implementation that falls into the chosen cooperation level. 
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5.2 Maximally Cooperative Synthesis 

For linear-time specifications £/ and W, there are typically some cooperation level specifications that are 
not realizable (such as ^ A(^) and some that are realizable (such as Q{E){s^ f^)). By iterating over 

all cooperation level specifications and applying reactive synthesis for the product Rabin tree automata 

computed by the construction from above, we can check which is the highest cooperation level that 
can be realized and compute a respective implementation. 

In some cases, there may however be the possibility to switch to a higher level of cooperation during 
the system’s execution. Take for example the case that initially, the cooperation level G{E)s^ A 
(#) is not realizable, but {s/ —>■ (#) is. This may be the case if represents the constraint that the 
environment has to perform a certain finite sequence of actions in reaction to the system’s output, which 
is representable as a safety property. If the actions are triggered by the system, then the system cannot 
ensure that the environment succeeds with performing them correctly, hence violating . If j?/ —can 
only be realized by the system by triggering these actions at least once, then after these actions have been 
performed by the environment, the cooperation level specification G{E)£/ A {£/ —> can however be 

enforced by the system by not triggering them again. 

This observation motivates the search for maximally cooperative implementations, which at any point 
in time realize the highest possible cooperation level. Before describing how to synthesize such imple¬ 
mentations, let us first formally define what this means. 

When determining the cooperation level during the execution of a system, we only look at the 
part of its computation tree that is consistent with the input obtained from the environment so far. 
Given a computation tree (T, t) and the input part of a prefix trace w'^ = wjf wf we 

define the bobble tree fT4l l of (T, t) for to be the tree (T', t'), where T' = {g} U {wff wf .. .wf \ 
k <n}yj {w^t I t E J^*}, and T'(f) = T(f) for all t E T'. We call w'^ the split node of {T','c') and 
{T{£),WQ){T{wQ),wf)...{T{wQ...w^_^),w^) the split word of {T','c'). Intuitively, the bobble tree 
has a single path to the split node and is full from that point onwards. Cutting a full computation tree 
into a bobble tree does not reduce the cooperation level that the tree fulfills for the specification types in 
the classes that we can built from the conjuncts in D (from Eqn.O: 

Lemma 1. Let {T,z) be a computation tree and be a bobble tree built from {T,z). If for some 

cooperation level specification H consisting of conjuncts in D, we have that {T, z) fulfills H, then {T', z') 
also fulfills H. 

Proof Proof by induction over the structure of H, using the semantics given on page|5] All conjuncts 
in D have an outermost universal quantification over the elements in L{{T, z)). Reducing the number of 
elements in L{{T, z)) does not make these constraints harder to fulfill. □ 

Bobble trees provide us with a semantical basis for switching between cooperation levels: if a reactive 
system {T, z) for a cooperation level H executes, and after some prefix trace w, there exists a bobble tree 
with split word w that allows a strictly higher cooperation level El', then it makes sense to continue the 
execution of the system according to cooperation level El'. We thus define: 

Definition 1. Let be a linear-time specification. We call a computation tree {T,z) maximally 

cooperative if for every split node t &T, the bobble tree induced by t and {T, z) implements a highest 
possible cooperation level for ^ and among the bobble trees with the same split word. 

Note that since for some bobble tree, there may be multiple highest cooperation levels, it makes 
sense to define a preference order for the cooperation level specifications, so that when synthesizing an 
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implementation, the implementation can always pick the most desired one when the possibility to move 
up in the hierarchy arises. 

In order to synthesize maximally cooperative implementations, we first need a way to check, for 
every split word, for the existence of a bobble tree for cooperation level specifications. The special 
structure of the tree automata built according to the construction in Sect. 15.II offers such a way. 

Definition 2. Let = {Q,y^ be a non-deterministic tree automaton for a cooperation 

level specification built according to the (product) construction from Sect. I5.il We have that Q is of the 
shape Cl X ... X C„, where for every / E {1we either have Ci = Q' or C,- = 2^ x B/or some Rabin 
word automaton state set Q'. For a state q = (ci,... ,c„) E Q, we define unpack{q) = unpack{c\) U ... U 
unpack(c„), where we concretize unpack{q') = q' and unpack{(q',b)) = q' for some word automaton 
state q' E Q' and i? E B. 

Lemma 2. Let be a tree automaton built according to the (product) construction from Sect, \5.1\f rom 
a cooperation level specification with conjuncts in D over the linear-time specifications , sF —)■ 
and l\'^. Let those linear-time specifications be represented by Rabin word automata with the state 

sets Qs^, Q<s, Qs^^<s, and respectively. Without loss of generality, let these state sets be disjoint. 

We have that: 

1. For all reachable states q in , there is at most one state in unpack (q) from each of Q^, Q>^, 

and Qs^^<s■ 

2. All states in with the same set unpack (q) have the same languages. 

Proof. The first claim follows directly from the constructions from Sec. 15.11 for every state in the indi¬ 
vidual Rabin tree automata built from cooperation level specification conjuncts of the shapes G{E)(p 
and tp, the automata always track the state of the corresponding word automata for a branch of the tree. 

For the second claim, we decompose the states in into their factors and prove the claim for 
each factor individually. For factors originating from cooperation level specifications of the shape cp for 
some linear-time property (p, this fact is trivial. For factors originating from specification conjuncts of 
the shape G{E)(p, the claim follows from the fact that the tree automaton states that only differ in their 
Boolean flag have fhe same successor sfafe funcfions. □ 

Lemma [2] fells us how we can swifch befween cooperation levels. Assume fhaf we can always read 
off all currenf sfafes of Qj^, and from unpack(q) for any sfafe ^ of a producf free 

aufomafon This assumpfion can be made satisfied by leffing be fhe producf of all elemenfs in 
fhe sef of considered cooperafion level specificafion conjuncfs D, buf only using fhe ones in fhe currenf 
cooperafion level H when building fhe accepfance condifion of . Now consider a second cooperation 
level specificafion H' fhaf is higher in fhe hierarchy fhan H and ifs associafed free aufomafon Lef W 
be fhe sfafes in with a non-empty language and W' be the states of with a non-empty language. 
If we find a state q' in for which unpack(q') = unpack{q), and state q' has a non-empty language, 
then we can simply re-route every transition to q to q' and obtain a new tree automaton with the states in 
and that enforces a higher cooperation level on a bobble tree along all branches in run trees that 
lead to q. If we now identify the non-empty tree automaton states for all cooperation level specifications 
in our hierarchy, and apply this approach to all pairs of the corresponding tree automata and all of their 
states, we end up with a tree automaton that accepts maximally cooperative computation trees. More 
formally, this line of reasoning shows the correctness of the following construction: 

Definition 3. Let //i,... ,//i 4 be the cooperation level specifications of our hierarchy, ordered by pref¬ 
erence and respecting the hierarchy’s partial order <h, and let ,..., be the non-deterministic 
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Rabin tree automata for them. Let us furthermore rename states q in an automaton fLR to {q,j) to 
make their names unique, and let every tree automaton fLR be given as a tuple {Qj, 8j,qQj,^j). 

Let W C IJj Qj be the states in the tree automata with a non-empty language. We define the Rabin tree 
automaton SL = (2', G, 5' encoding the maximally cooperative synthesis problem as follows: 

Q’= U Qi 

;e{i.14} 

do = doj for j = max{j € {1,..., 14} | qoj eW} 

^' = U ... U ^14 

S'{{dJ),o) = {{i ^ id'j') I f = max{k € {1,...,14} | 3{q”,k) € Qu : 

q G W,unpack{q") = unpack{f{i)),Hj <h Hk}, 
unpack{q'') = unpack {f {i)), 
iU = /) ^ d" = fii))} I / € Sj{q,o)} 
for all {q, j) € Q' and i G ^ 

Theorem 1. A Rabin tree automaton built from linear-time specifications and ^ according to Def. 13 
encodes the maximally cooperative synthesis problem for the specification Building the tree 

automaton and checking it for emptiness can be performed in doubly-exponential time for specifications 
in LTL. 

For specifications given as deterministic Rabin word automata, the time complexity is polynomial in the 
number of states and exponential in the number of acceptance pairs. 

Proof. For the correctness, note that the tree automaton can switch between cooperation levels only 
finitely often, and whenever it switches, it only does so to strictly higher levels of cooperation. 

To obtain doubly-exponential time complexity of maximally cooperative synthesis from LTL spec¬ 
ifications, we first translate 'IS, sF ^ ^, and sF l\^ to deterministic Rabin word automata with 

a doubly-exponential number of states and a singly-exponential number of acceptance condition pairs, 
which takes doubly-exponential time. The overall sizes of the tree automata build for the cooperation 
levels are then polynomial in the sizes of the Rabin word automata. We can compute W in time expo¬ 
nential in the number of acceptance pairs and polynomial in the number of tree automaton states, which 
sums up to doubly-exponential time (in the lengths of £/ and for LTL. When building if and com¬ 
puting the accepted computation tree, the same argument applies. If the specification is given in form of 
deterministic Rabin word automata, then all the product automata computed in the process have a num¬ 
ber of states that is polynomial in the number of states of the input automata and a number of acceptance 
pairs that is polynomial in the number of acceptance pairs of the input automata. By the complexity of 
checking Rabin tree automata for emptiness and computing IT, the second claim follows as well. 

□ 

Theorem [3 states that synthesizing maximally cooperative implementations from LTL specifications 
does not have a higher complexity than LTL synthesis in general. Note, however, that both the syn¬ 
thesis time and the size of the resulting systems can increase in practice as the Rabin automata built in 
cooperative synthesis are larger than in standard LTL synthesis. 

Also note that we can extend the theory from this subsection to also include cooperation level spec¬ 
ification conjuncts of the shape {E)(p. However, we would need to add flags fo fhe free aufomafa fo 
keep frack of whefher fhe currenf branch in a compufafion free is fhe one on which (p should hold. As 
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these flags need to be traeked along ehanges between the eooperation levels, the definitions from this 
subseetion would beeome substantially more eomplieated. Thus, we refrained from doing so here. 


6 Conclusion 

Conventional synthesis algorithms often produee systems that aetively work towards violating environ¬ 
ment assumptions rather than satisfying assumptions and guarantees together. In this paper, we worked 
out a fine-grained hierarehy of eooperation levels between the system and the environment for satisfy¬ 
ing both guarantees and assumptions as far as possible. We also presented a synthesis proeedure that 
maximizes the eooperation level in the hierarehy for linear-time speeifieations, sueh as Linear Tempo¬ 
ral Logie (LTL). The worst-ease eomplexity of this proeedure for LTL is the same as of eonventional 
LTL synthesis. Our approaeh relieves the user from requiring eooperation in the speeifieation explieitly, 
whieh helps to keep the speeifieation elean and abstraet. 

In the future, we plan to work out eooperative synthesis proeedures for other speeifieation languages, 
and evaluate the results on industrial applieations. 
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Figure 2: Example specification to illustrate all cooperation levels from Fig.[T] 


A Another Example 

To complement Section l4~2l this section illustrates all cooperation levels from Fig.[T]on a more technical 
example. The assumptions ^ are defined using the Rabin word automaton = {Q,^ x ^,5,qo, 
{(0,G^)}) shown in Fig. |2l where Q = {<70, • • • ,^i 6 }. the input alphabet is = {xo,xi,X2}, and the 
output alphabet is ^ = {jo, • • • ,y\ 2 }- Fig.|2]labels edges with conditions over the input and output letters 
to define the transition function 8 . For instance, the condition -ivq means that the transition is taken for 
all letters {x,y) ^ ^ x where x^xq. Edges without a label are always taken. Note that the system can 
only influence the next state from qy. with output yi, the next state will be qi. The acceptance condition is 
defined with = {^ 0 )^ 65 ^ 7 )^ 85 ^ 95 ^ 11 )^ 12 }- That is, the blue states in Fig.|2]must be visited infinitely 
often for £/ to be satisfied. The guarantees W are defined using the automaton = {Q,^ x ^,5,qo, 
{(0,Gg?)}), which differs from,^^ only in the acceptance condition: with G^ = {^ 2 )^ 13 )^ 145 ^ 15 }) ^ is 
satisfied if the green states in Fig. |2] are visited infinitely often. 

The following paragraphs present and discuss one system behavior (defined in the form of a compu¬ 
tation tree) per cooperation level in Fig.[I] 

.e/ —» The computation tree T 5 ) with = y^ for all w'^ E represents a system that 

always outputs yj. It satisfies because q^ is a trap where neither nor is satisfied. This is 

“correct” but rather unsatisfactory. 

{si —)■ A is satisfied by the computation tree with T4(w^) =y4. Again, si 

^ holds because staying in {^ 25 ^ 4 } violates si. Still, at any point in time, there exists some future 
environment behavior that satisfies ^ (namely one that choses xq infinitely often). Thus, T 4 is slightly 
better than T5. 

{si /\G{E) si\ is satisfied by (J^*,T 3 ) with = ya: At any point in time, si can be 

satisfied for some future environment behavior (namely if xq is chosen in qj, infinitely often). Since 
si (because of the unconditional edge from ^0 to qi), this implies that also ^ can be reached. Yet, 
neither si nor are enforced because the environment could always give xi to get stuck in ^ 3 . However, 
assuming that the environment does not behave totally self-destructive, both si and will be satisfied. 
Thus, T 3 is even better than Z 4 . 

The computation tree with T 2 {w’^) = y 2 enforces W, but defeats any hope of reaching si. It is 
thus better than Z 2 but incomparable with T 3 : Enforcing is better than having reachable, but si being 
unreachable is worse than having si reachable. Hence, the choice between T 2 and T 3 is a question of 
selfishness. 

AG(E) si : is satisfied by Ti (w^) = yi: No matter if the environment picks xq or not in < 71 , the state 
q 2 will always be visited because of the unconditional edge from qo to ^ 2 - Visiting qo infinitely often 
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(and thus satisfying £/) is always possible, but not enforced. Hence, Ti dominates both T 2 and T 3 . 

^ l\s^\ is enforced by To(vv‘^) =yo‘ independent of the environment, both and q 2 are visited 
repeatedly. Thus, To is the most desirable system behavior. 

The remaining cooperation levels from the hierarchy in Fig.[T]do not satisfy the traditional correctness 
criterion . Still, a computation tree for such a level behaves better than arbitrarily in various ways, 

and are useful from states where cannot be enforced. 

G(£') —>■ is satisfied by the computation tree Tg) with T 6 (w'^) = yg for all G J^*. At 

any point in time, there exists some environment behavior that either violates (by going to ^ 5 ) or that 
satisfies (by going fo ^ 13 ). However, alone is nol reachable from every poinf in every execufion: if 
fhe environmenf already fra versed fo < 75 , is losf. Similarly, is nol reachable al every poinf in lime 
because fhe environmenf may already have fraversed fo ^ 13 . Finally, nol enforced because 

wilh inpul xq the environment may stay in ^g forever, thereby satisfying si but not Nevertheless, 
having si feasible at any point in time is better than nothing. 

The computation tree with T 7 (w'^) = y? satisfies G(£')(#, and is fhus heller lhan Tg. G (£')si 
does nol hold because from ^ 13 , si is unreachable, jz/ —)• (# is nol enforced because Ihe environment 
could stay in qi forever. Yet, T? is still incomparable with T 5 (enforcing si —)■ 1^), because with T 5 , there 
is not even a hope of reaching 1 ^. 

G{E) si : is similar to the previous case. The computation tree with Tio(>v^) = yio satisfies G(£') si, 
bul si is nol enforced because Ihe environmenf can slay in ^iq. Moreover, G(£') iysi (#) does nol hold 
because il is unreachable from < 79 . 

: The compulation free wilh T 9 (>v‘^) = y 9 enforces si, and Ihus dominates Tiq- Yel all hopes for 
satisfying Ihe guarantees are lost 

si A GIF)!#: The system behavior Ts(w^) = ys enforces si A G(£')(# and eliminates Ihis defecl of 
T 9 : if Ihe environmenf is nol hostile and produces xi or X 2 infinitely often, ^ is achievable. 

{G(E) si) f\G(E) is satisfied by Ihe system behavior Ti 2 (w^) = yi 2 . The guarantee is 

losl, bul al any poinf in time, il is still possible lhal si is satisfied (by visiting 512 infinitely often) and lhal 
si is violated (by only visiting ^ig from some poinl on). This is slighlly belter lhan Tiq (which satisfies 
G{E) si alone) because Ihe correclness properly .( 2 / —is reachable al any poinl. Wilh Tio, it may 
happen that the correctness property is lost once and for all. 

(G(E)si) A {G{E)^) and G{E) {si A(^): The system behavior Tn(vv^) = yn satisfies {Q{E) si) A 
{G{E)^) as well as G{E) {si AW). In our example, Ihere is no way lo distinguish Ihese Iwo levels 
because we chose objectives defined by visiting some slates infinitely often. For olher specification 
classes, Ihere can be a difference, Ihough. si is nol enforced by Tn because Ihe environmenf could 
always slay in ^ 15 . si is nol enforced eilher because Ihe environmenf could stick lo ^n. Still, Ihis 
is belter lhan a prospecl of reaching only si or only W. 


B Extended Cooperation Hierarchies 

As discussed in Section 1431 we can extend our hierarchy in various ways. When extending Ihe conjuncls 
from Eqn. |2]wilh siM^ and G(£') {^ V1^), we oblain Ihe hierarchy shown in Figure |3l which has 23 
levels. We applied Ihe following reduction rules in addition lo Ihose mentioned in Section 1431 

• ‘S implies i?/ V 

• si implies sii^, 

• G(£')(# implies G(£') (.( 2 /V(#), 
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Figure 3: A refined hierarchy of cooperation levels. 


• G{E) £/implies G{E) {£/y'i^), 

• j?/ —and si together imply and 

• si and G (E) {si Vtogether imply G{E)^. 

When further extending the conjuncts from Eqn. [2]with {E) {^), (E) {si), {E) {si At^), {E) {si —>■ 
t#) and (£■) {si V ^) we obtain a hierarchy of 77 cooperation levels using the following additional reduc¬ 
tion rules: 

• G(£') tp implies {E) (p for all (p € , si,si t\^, si ,siy^} 

• implies {E){si —>■ ), 

• {E) {si At#) implies {E) si and G(£')t#, 

• si and {E) si together imply {E) {si At#), 

• si and (£')t# together imply {E) {si At#), 

• {E) {^ t#) and si together imply {E) (t#). 

• (£■) t# implies {E) {si V t#), 

• {E) si implies {E) {si V t#), 

• . 2 / —>■ t# and {E) {si V t#) together imply (F) t#. 

The first six reduction rules directly correspond to the rules from Section Iddl but using (F) instead of 
G{E). The latter three rules correspond to rules from the previous paragraph, again instantiated with 
G(E) instead of (E). 











































